When performing compliance analysis, if we opt to be “Not compliant” and create a Compliance exception - shouldn’t the active status be OK? if we are “intentionally non-compliant” and while the exception has not expired… that - in my perception would mean that we are aware of the status and this is accepted on temporary basis. i.e. we have a project to create new classification/labeling scheme/procedure to align with GPDR, and the current one is suspended.
My point is that the valid state of the exception should override the active status of the compliance package(risk reviews/audit failures etc), displaying a green OK(situation is managed and controlled), and only when exception expires, should active status show the problems with the compliance status.
Let me see if I follow correctly! the “Active Status” column refers to the status of any mitigation option in that row, is a bit like a summary of those mitigation statuses.
In the scenario where i simply mark a requireemnt as not complaint, i get “OK” because the mitigations are non-existent.
Which scenario are you mentioning? the image you attached is overwriting the status, im not sure what was under the green square you seem to have added there.
Right now the situation is that even though i have a valid exception, the compliance status shows the related Risk status instead of “ok”, as shown in the image (with out green box )
)